New Jersey Security of Personal Information (Data Breach)
NJ Rev. Stat. § 56:8-161, et seq.
NJ Admin Code § 13:45F‐5.2
SUMMARY:
EFFECTIVE. January 1, 2006
WHO DOES THIS LAW APPLY TO. Any business or government agency that conducts business in New Jersey and compiles or maintains computerized data that includes Personal Information.
WHAT IS A BREACH. Unauthorized access to unencrypted or unredacted computerized data that compromises the security, integrity, or confidentiality of Personal Information maintained by a business or government agency. Good faith acquisition of Personal Information by an employee or agent of a business for a legitimate purpose is not a breach, if it is not used for a purpose unrelated to the business or subject to further unauthorized disclosure.
WHAT IS PERSONAL INFORMATION. An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when the data element is not encrypted, redacted, or secured by any other method rendering the element unreadable or unusable:
-
Social Security Number.
-
Driver’s license number or State identification card number.
-
Account number, credit card or debit card number in combination with any required security code, access code, or password that would permit access to the individual’s financial account.
-
Unauthorized access to the means of linking disassociated data, such that if linked, would constitute Personal Information.
Personal Information does not include publicly available information that is lawfully available from Federal, State, or local government records, or widely distributed media.
WHO TO NOTIFY OF THE BREACH. Notification of the breach must be sent to the residents affected. Any business or government agency that is required to give notice of a security breach, shall first report the breach and related information to the Division of State Police in the Department of Law and Public Safety.
If more than 1,000 residents are involved in a breach, the business or government agency shall also notify, without unreasonable delay, all consumer reporting agencies that maintain files on consumers nationwide (as defined by 15 U.S.C. § 1618a(p)), of the timing, distribution, and content of the notices.
EXCEPTION. This Section does not apply to the following:
-
Does not apply to information that is encrypted, or secured by any other method or technology that renders it unreadable or unusable.
-
No notification is required if the business or government agency determines that misuse of the information is not reasonably possible. Any such determination shall be documented in writing and retained for five (5) years.
-
A business or government agency which maintains its own notice procedures as part of a Personal Information security policy and is otherwise consistent with the timing requirements of this Section, is considered in compliance with this Section if the affected individuals are notified by the business or government agency in accordance with its policies.
WHEN TO NOTIFY OF THE BREACH. Notification must be sent when the business discovers or is notified of an incident of unauthorized acquisition. The disclosure shall be made in the most expedient manner possible and without unreasonable delay consistent with the needs of law enforcement, or any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the data system. Notification may be delayed if law enforcement determines it will impede a criminal or civil investigation and requested by law enforcement. In that instance, notification will be made after clearance by law enforcement.
HOW TO NOTIFY OF THE BREACH. Notice may be provided by one of the following methods:
-
Written.
-
Electronic (if consistent with the provisions regarding electronic records and signatures in 15 U.S.C. § 7001).
-
in the case of a breach of security involving a user name or password, in combination with any password or security question and answer that would permit access to an online account, and no other personal information, the business or public entity may provide the notification in electronic or other form that directs the customer whose personal information has been breached to promptly change any password and security question or answer, as applicable, or to take other appropriate steps to protect the online account with the business or public entity and all other online accounts for which the customer uses the same user name or email address and password or security question or answer.
-
Substitute notice as provided below.
SUBSTITUTE NOTICE AVAILABLE. If the business or government agency can demonstrate that the cost of providing notice will exceed $250,000, the affected class of persons to be notified exceeds 500,000, or the business or government agency has insufficient contact information, substitute notice may be used. Substitute notice shall consist of all of the following:
-
Email notice if the business or government agency has an Email address for the individual(s) subject to notice.
-
Conspicuous posting of the notice on the website of the business or government agency if one is maintained.
-
Notification to major statewide media.
NOTICE TO THIRD-PARTIES. If a business or government agency maintains data that includes Personal Information that it does not own, then the business or government agency shall notify the owner of the security breach immediately upon discovery. The business or government agency that owns or licenses the computerized data shall provide notice to the affected residents.
CONSEQUENCES FOR FAILING TO NOTIFY. Not stated.
PRIVATE RIGHT OF ACTION. None provided in the statute.
REQUIREMENTS OF REASONABLE SECURITY MEASURES.
DATA DISPOSAL PROVISIONS. N.J. Stat. § 56:8-161 -§ 56:8-162. A business or public entity shall destroy, or arrange for the destruction of, a customer's records within its custody or control containing personal information, which is no longer to be retained by the business or public entity, by shredding, erasing, or otherwise modifying the personal information in those records to make it unreadable, undecipherable or nonreconstructable through generally available means.
LEGISLATIVE UPDATES.
A. 4001 – Signed into law on 9/22/2005, Effective 1/1/2006.
S.B. 52 – Signed into law on 5/10/2019, Effective 9/1/2019.
For more information, see here: https://lis.njleg.state.nj.us/nxt/gateway.dll?f=templates&fn=default.htm&vid=Publish:10.1048/Enu
AND
https://www.njconsumeraffairs.gov/regulations/Chapter-45F-Identity-Theft.pdf
These materials were obtained directly from the State Legislative websites and are posted here for your review and reference only. No Claim to Original State Government Works. This may not be the most recent version. The State may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.